Light Dark
April 14, 2016 By Johan Arts 3 min read
Cloud Security
Data Protection

As a kid, I remember being proud of the stamps in my passport so I could show my grandparents which countries I had visited. Nowadays, there are only a few countries that even issue stamps for a passport. Going from country to country has been made easy.

When you (as an organization or an individual) put data into the cloud, you know that you are handing it over to a provider who may have data centers in many places, countries or even continents. These days, most people understand that storing data in the cloud means that your data needs to be physically stored on a device somewhere, though it is accessible anywhere. What most people don’t realize is where their data is going, where it travels through and where it is heading next.

Data Travels in the Cloud

As your cloud data traverses the world, it would be nice if you knew where it went. Governments are increasingly demanding that organizations can verify where the data they upload to the cloud goes. They are holding the uploaders accountable — in some cases even penalizing them if data passes certain borders unexpectedly or without permission.

For a regular customer using a cloud-based application, it is not easy to understand where the data you are accessing is really stored. The application or platform provider may be based in London, but the servers might be in Amsterdam, the U.S. or the Far East. Your data may reside in a data center in the U.K. today but be moved to Bangalore as part of an optimization process tomorrow.

And what about those cloud and mobile applications that you never authorized? Thanks to transformations in cloud and mobile, employees can sign up for new digital services with only a few clicks. Some of these tools and cloud-based technologies give employees immediate access to the productivity and collaboration they need to do their jobs much more efficiently than established or authorized apps allow. It’s the way people now want to work.

Whether it’s allowed by employers or not, they’re still going to use outside tools and upload company data to them. In a recent study, it was discovered that 1 in 3 employees at Fortune 1000 companies share and upload corporate data on third-party cloud apps.

Approaches to Data Protection

Organizations realize they need to deal with this challenge, and we see two possible starting points.

1. Legal/Procedural Approach

During the formal acquisition process for a new cloud, mobile or software-as-a-service (SaaS) provider, organizations may have to go through a step in which they involve the legal department to ask a series of questions related to business risk, data privacy and compliance. The legal team may have a checklist and can ask the cloud vendor to document the flow of the data. They may even require specific legal contracts such as EU model clauses to be put in place to govern data privacy requirements as per individual country laws.

This approach works well in situations where authorization of the use of cloud apps and services is formally requested. However, the reality is that many cloud and SaaS applications are activated by employees without prior authorization from the employer. Furthermore, the setup of the cloud provider may change. How do you ensure your organization is on top of this so-called shadow IT, and how do you deal with changes over time?

2. Network/Security Approach

Your organization may have already deployed technologies capable of analyzing network traffic such as Web application firewalls (WAF), intrusion detection solutions (IDS) or intrusion prevention systems (IPS). If these technologies cover the entire enterprise network, they can provide a good starting point for analyzing the extent of unauthorized use. If such technologies only cover part of the network, ask if there is appetite to make further capital investments in network hardware or if it is more efficient to consider SaaS to support the automated detection phase.

Organizations should integrate their legal/procedural approach with their network/security approach to gain the appropriate insight into the risk and mitigation associated with cloud security.

Ask the Right Questions

Related to cloud security governance, organizations should ask themselves the following questions:

  • What SaaS, cloud and mobile applications do your employees use?
  • Can you leverage existing technology for inspecting network traffic? Is there an opportunity to introduce automated discovery technology that can help discover authorized and unauthorized SaaS use and country-level data flows?
  • Have you made an inventory of the specific risks associated with cloud, SaaS and mobile for your organization? Did you design specific business controls to mitigate the risks related to cloud security?
  • Do you require the business owners of SaaS, cloud and mobile applications to comply with a cloud security governance process that checks against a series of business controls?

It all comes down to your appetite for taking risks. Organizations should design their cloud security governance process based on their own profile and policy, the requirements of the industry and geography they operate in and their own specific preferences.

 |  |  |  | 
Johan Arts
Vice President of Security Sales for Europe, IBM

More from Cloud Security
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 4, 2024

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

March 14, 2024

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature